USBFILTER: Packet-level firewall for blocking USB-based threats

SmartNA PortPlus - High Performance Visibility Solutions that scale with your network.

The problem of planted malicious USB devices is compounded by the fact that, no matter what, users will rarely stop to think and ultimately choose not to insert them because they don’t know what could be on them. Curiosity gets the better of them, and, according to recent research by Google’s Elie Bursztein, some of them want to discover to whom the stick belongs to and return it.


Bursztein believes that device policy and security awareness can save users from this type of attacks, but solutions like USBFILTER might be of even more help.

Presented on Thursday at the 25th USENIX Security Symposium in Austin, Texas, USBFILTER is the creation of a group of researchers from University of Florida and University of Illinois at Urbana–Champaign.

USBFILTER provides packet-level access control for USB devices, and it’s meant to prevent threats like BadUSBs, USB sticks carrying malware and/or zero-day exploits, covert HID (Human Interface Devices, i.e. keyboard, mouse, etc.) emulators, and so on from compromising computers.

USBFILTER architecture

“The core USBFILTER component is statically compiled and linked into the Linux kernel image, which hooks the flow of USB packets before they reach the USB host controller which serves the USB device drivers,” the researchers explain.

“Like Netfilter, this USB firewall checks a user-defined rule database for each USB packet that passes through it and takes the action defined in the first matching rule. A user-space program, USBTABLES, provides mediated read/write access to the rule database. Since USBFILTER intercepts USB packets in the kernel, it can control access to both physical and virtual devices.”

USBFILTER can block or permit specific device interfaces (i.e. functionalities), but also restrict them to a particular application, and can be used to prevent data exfiltration via USB storage devices.

It can do all this, the researchers note, with minimal overhead, meaning it can be used in regular enterprise settings and not make an impact on work effectiveness.

For more details about the solution, its limitations, and helpful case studies, check out the researchers’ paper and presentation slides. The solution’s code has been made available on GitHub.